TECHNICAL FIELD
[0001] The present invention relates to a method and an apparatus for determining digital
print representative of a state of an external non-volatile memory. It is applicable
to the technical domain of securing embedded systems.
BACKGROUND OF THE INVENTION
[0002] According to the Recommendation ITU-T Y.2060 provided by the International Telecommunication
institute, the Internet of things (loT) is defined as a global infrastructure for
the information society, enabling advanced services by interconnecting physical and
virtual things based on existing and evolving interoperable information and communication
technologies. A thing is an object of the physical world (physical things) or the
information world (virtual things), which is capable of being identified and integrated
into communication networks. At present, loT is generally applied in fields such as
security surveillance, automatic vending machines, public traffic systems, vehicle
monitoring and management, industry process automatization, motor machineries, city
informationalization.
[0003] In this description, the expression loT device refers to a piece of equipment with
communication capabilities and optionally capacity of data capture, sensing, data
storage, sensing and/or data processing. An loT device comprises for example a wireless
communication module also called Machine Type Communication (MTC) module allowing
transmission of data from one loT device to another or exchange of data between machines
through UMTS/HSDPA, CDMA/EVDO, LTE, 5G, LoRa or other networks. It also comprises
a computing system composed for example of a processing unit and an associated non-volatile
memories (NVM).
[0004] The processing unit is for example a microprocessor, a system-on-chip (SoC) processing
unit or a secure element.
[0005] The non-volatile memory (NVM) associated to the processing unit can be of different
types. For example, one can find today non-volatile memories available on the market
which can be erased and reprogrammed. Two common examples of existing non-volatile
random access memories (NVRAM) are electrically erasable programmable read-only memory
(EEPROM) and Flash memory technologies which are both widely used in today's systems.
[0006] Embedded systems are examples of computing systems for which specific constraints
such as real time processing has to be taken into account. Embedded systems are widely
used for implementing the Internet-of Things (loT) ecosystem and billions of devices
are expected to be deployed on the field. Systems architects and designers need to
address several security issues.
[0007] In particular, as the loT devices and their embedded systems are deployed on the
field, these can be easily accessible for malevolent marauders which are skilled to
implement security attacks such as rollback attack. A rollback attack aims at modifying
a computing system for it to run an older, insecure and/or modified software version
rather than the genuine version which can make the computing system more vulnerable
to potential attacks.
[0008] Another type of attack to be considered during the design phase of an embedded system
is the so-called replay attack which reuses data which is for example stored in the
memory of the embedded system. Both rollback and replay attacks may therefore be conducted
by accessing and modifying the content of the non-volatile memory. When the memory
is implemented externally to the processing means of the embedded systems which may
be secured, data can be modified for running some of the aforementioned attacks. This
is the case for example when a secure enclave cooperates with an external memory.
[0009] In this description, the expression external memory refers to a memory implemented
by the embedded system, but which is not internal to the processing means. It can
be for example connected to the processing unit using a data bus. The external memory
can be soldered together with the processing unit on a printed circuit or accessing
through a memory card reader in case the memory is removable.
[0010] In addition, the expression secure enclave refers to a secure area that is adapted
to process data and protect their integrity and confidentiality and comprising a set
of at least one hardware and/or software components. This secure enclave can be implemented
for example into a processor in the form of a Trusted Execution Environment (TEE)
or as a secure element embedded in a system or integrated in a System-on-Chip (SoC).
[0011] One important weakness of an embedded system having processing means cooperating
with an external memory is that a fraudulent user may replace the genuine external
memory implemented in the embedded system by its own external memory with its own
data for conducting attacks such as rollback or replay attacks.
[0012] State-of-the-art mechanisms can be used against the aforementioned attacks. For example,
well known anti-replay mechanisms relying on the use of a one-time programmable (OTP)
memory can be used advantageously. An example is provided in the publication of the
international patent application
WO2011073435A1. A drawback of this type of countermeasure is the large amount of one-time programmable
memory required for being efficient on a long term perspective. Other existing alternatives
can also be considered, such as using an internal flash memory or a secure external
flash memory but these solutions are expensive and not flexible.
[0013] Therefore, there is a need for a solution allowing to secure the use of a memory
of an embedded system which minimizes the needs for additional one-time programmable
memory while allowing a flexible implementation of the embedded system.
SUMMARY OF THE INVENTION
[0014] The invention relates to an embedded system comprising an external non-volatile memory
composed of a plurality of memory cells and a processing unit comprising a secure
memory containing a memorized value
MEM_ID attributed to said processing unit, the processing unit being configured to determine
a digital print
DP_calc identifying a state of the external non-volatile memory by:
- identifying a set of at least one memory cell of the external non-volatile memory
by applying a function F1 using the memorized value MEM_ID as an input;
- providing at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one
memory cell;
- determining the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.
[0015] According to an embodiment, the digital print
DP_calc is used for authenticating the external non-volatile memory by the processing unit
by comparing said digital print
DP_calc with a reference digital print
DP_ref memorized by the processing unit, the reference digital print
DP_ref being previously calculated using the same mechanism applied to the genuine external
memory, the external non-volatile memory being authenticated if the digital print
DP_calc matches with the reference digital print
DP_ref.
[0016] According to an embodiment, the one or several memory cells belonging to the set
of memory cells identified using the memorized value
MEM_ID is preserved from being used for storing data.
[0017] According to an embodiment, the reference digital print
DP_ref is memorized in the processing unit and determined by during the manufacturing of
the embedded system when it is associated to the external memory.
[0018] According to an embodiment, the reference digital print
DP_ref can also be re-calculated by the processing unit periodically or upon request.
[0019] According to an embodiment, the set of memory cells identified using the memorized
value
MEM_ID is artificially worn out by applying a plurality of programming and erasure (P/E)
cycles in order to update the reference digital print
DP_ref, said reference digital print
DP_ref being updated by using the newly wear levels.
[0020] According to an embodiment, the first function
F1 is injective.
[0021] The invention also relates to a method for determining a digital print
DP_calc identifying the state of an external non-volatile memory composed of a plurality
of memory cells by a processing unit comprising a secure memory containing a memorized
value
MEM_ID attributed to said processing unit, the method being applied by the processing unit
and comprising the steps of:
- identifying a set of at least one memory cell of the external non-volatile memory
by applying a function F1 using the memorized value MEM_ID as an input;
- providing at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one
memory cell;
- determining the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.
[0022] According to an embodiment, the method comprises the step of comparing the digital
print
DP_calc with a reference digital print
DP_ref memorized by the processing unit, the reference digital print
DP_ref being previously calculated using the same mechanism applied to the genuine external
memory, the external non-volatile memory being authenticated if the digital print
DP_calc matches with the reference digital print
DP_ref.
[0023] According to an embodiment, the function F1 is injective.
[0024] The invention also relates to a processing unit comprising a secure memory containing
a memorized value
MEM_ID attributed to said processing unit, the processing unit being configured to be associated
with an external non-volatile memory and to carry out the steps of the above method.
[0025] According to an embodiment, the secure memory is a one-time programmable (OTP) memory.
[0026] According to an embodiment, the memorized value
MEM_ID is a unique identifier of said processing unit.
[0027] According to an embodiment, the memorized value
MEM_ID is a random number generated and memorized in the processing unit during its manufacturing.
[0028] According to an embodiment, the processing unit comprises a baseband communication
chip, the memorized value
MEM_ID being an International Mobile Equipment Identity (IMEI).
BRIEF DESCRIPTION OF THE DRAWINGS
[0029] Additional features and advantages of the invention will be more clearly understandable
after reading a detailed description of several embodiments of the invention, given
as an indicative and non-limitative example, in conjunction with the following drawings:
- Figure 1 is an example of architecture of an embedded system implementing a mechanism
to generate a digital print representative of a state of an external non-volatile
memory;
- Figure 2 illustrates the evolution of the wear level of a memory cell;
- Figure 3 provides an example flow chart with several steps designed to authenticate
an external memory;
- Figure 4 illustrates schematically how a value memorized in a processing unit can
be used for determining a list and possibly an order of the listed memory cells;
- Figure 5 provides an example of process leading to a wear value using the measurement
performed by a measurement controller associated to the external memory.
DETAILED DESCRIPTION
[0030] Figure 1 is an example of architecture of an embedded system implementing a mechanism to generate
a digital print representative of a state of an external non-volatile memory.
[0031] The embedded system 110 is composed of a processing unit 101 and an external persistent
memory 100. The processing unit 101 is for example a secure enclave or a system on
chip (SoC) comprising a central processing unit 102 and a one-time programmable memory
(OTP) 103 adapted to memorize an identifier. According to a preferred embodiment,
this identifier is a unique identifier attributed to the processing unit. As the processing
unit is integrated in the embedded system, it can be used for identifying the system.
For example, an loT device, can be identified using this identifier. This unique identifier
can be generated and provided by the manufacturer of the processing unit or by the
original equipment manufacturer (OEM) embedding the device.
[0032] The external memory 100 is also implemented in the embedded system but is not integrated
in the processing unit 101. The external memory 100 and the processing unit 101 are
able to communicate using an hardware interface 104, for example a serial or parallel
data bus.
[0033] According to an embodiment, the external persistent memory comprises a measurement
controller 120 allowing the estimate the wear level of the cells composing the external
persistent memory.
[0034] The described mechanism aims at determining a digital print identifying a state of
the external non-volatile memory (100). For that purpose, one or several measurements
of the memory wear level of a predefined set of memory cells are used.
[0035] This mechanism can also be used by the processing unit to authenticate the external
memory in order to detect if this is the genuine one which is in use or another external
memory replacing the genuine enabling a fraudster to conduct an attack.
[0036] A memory cell is a building block of a memory system. Binary data is stored by applying
erase/write cycles to the memory cells composing the memory system.
[0037] Figure 2 illustrates the evolution of the wear level of a memory cell.
[0038] The wear level of a memory cell is a strictly increasing function 200 of its usage.
A memory cell can only wear out, it cannot regenerate. As such, it can be considered
as a monotonic, irreversible, function of its usage. In the example of Figure 2, the
current memory wear level is indicated 201 and it is illustrated that it can only
increase over time.
[0039] A memory cell wears out as a function of its usage. The performance of memory cells
deteriorates as a function of the number of the programming and erasure cycles (P/E).
More precisely, these cycles cause memory cells to gain some extra charge and the
accumulation of this charge over time leads to wear-out of the memory cells. Measurements
of the wear level are used in existing technologies for implementing wear-leveling
mechanism aiming at prolonging the longevity of the memory system, such as the one
described in the publication of the US patent application
US20160335178A1 entitled "Systems And Methods For Utilizing Wear Leveling Windows with Non-Volatile
Memory Systems".
[0040] In case of a Flash memory, programming and erasure (P/E) cycling causes damage to
the tunnel oxide of the memory cells in the form of charge trapping in the oxide and
interface states. This physical phenomenon is detailed in the article of
P. Olivo, B. Ricco, and E. Sangiorgi entitled "High Field Induced Voltage Dependent
Oxide Charge", Applied Physics Letter, vol. 48, pp. 1135-1137, 1986. The memory cell wear-out caused by P/E cycling is proportional to the programmed
threshold voltage level. Therefore, a way to estimate the wear level of a memory cell
is to estimate this programmed threshold voltage or its shift over time. For that
purpose, a threshold voltage shift measurement controller measuring a threshold voltage
of a charge loss measurement for each cell in each memory block of a flash memory
device can be implemented in order to determine a wear level of the memory block according
to the measured threshold voltage. An example of such technique is described in the
publication
US20090168524A1 of the US patent application entitled "Wear level estimation in analogue memory cells".
Another technology to estimate the wear level of a memory cell us to use its timing
and analogue characteristics. For example, the number of retries needed for erasing
a given memory cell in order to reach a predefined charge level can be used as an
indicator of the wear level.
[0041] It is interesting to note that temperature variations can slightly influence the
wear level measurement of a memory cell. Therefore, according to an embodiment, a
temperature sensor can be implemented in the embedded system and the measured temperature
value can be used for improving the accuracy of the wear level measurements.
[0042] One important aspect of the invention is that the wear level of a predetermined set
of memory cells is used to authenticate the external memory. The aim is to generate
a footprint that is unique for a given memory when used in conjunction with a given
processing unit. For that purpose, a set of memory cells belonging to the external
memory is determined. The selection process implemented for determining the one or
several memory cells composing this set is dependent of the processing unit. In other
words, the selected set of memory cells is such that it allows to bound the processing
unit with the external memory, providing the property of anti-cloning. According to
an example, the selection of the set of cell can be derived from a value
MEM_ID memorized securely in the processing unit. It can be for example a unique identifier
or a random seed provisioned in the processing unit at the manufacturing stage. This
value can for example be memorized in a one-time-programmable memory which is implemented
in the processing unit.
[0043] According to an embodiment, if the processing unit refers to a baseband communication
chip, the memorized value
MEM_ID can be the International Mobile Equipment Identity (IMEI). As the IMEI is generally
written in an one-time programmable memory, the modification needed to implement the
invention is advantageously minimized.
[0044] Figure 3 provides an example flow chart with several steps designed to authenticate an external
memory.
[0045] The first step 300 is designed to identify the set of one or several memory cells
that will allow the bounding of a given processing unit with the external memory.
For that purpose, a first function
F1 can implemented by the processing device to determine the memory cells belonging
to the aforementioned set from a predetermined value memorized in the processing unit.
[0046] According to an example, the first function
F1 can be chosen as a trivial identity function. The memorized value
MEM_ID corresponds for example to the concatenation of several memory cell addresses.
[0047] According to another example, the first function
F1 is a pseudo random number generator (PRNG) using the memorized value
MEM_ID as a seed.
[0048] A given memory cell can be identified by a physical raw address. The memory cell
addresses provided as an out after applying the first function
F1 using the memorized value
MEM_ID as an input are noted in the sequel
X_1
, X_2
, ...,X_N. The person skilled in that art will understand these addresses can be those of a
memory page, a memory block, a sector, a bank, or any addressable memory area depending
of the memory technology in use, an addressable memory area corresponding to a memory
cell in the context of this invention.
[0049] Figure 4 illustrates schematically how a value memorized in a processing unit can be used
for determining a list and possibly an order of the listed memory cells.
[0050] According to an embodiment, the function
F1 is injective with the advantage of having a unique set of memory cells associated
to each of the possible values
MEM_ID memorized in the processing unit. In that case, applying
F1 to two different chip identifiers
MEM_ID(1) and
MEM_ID(2) will lead to two different sets and orders 400, 401 of memory cells.
[0051] The memorized value
MEM_ID is for example an identifier of a chip implementing the processing unit.
[0052] The one or several outputs
X_1
, X_2
, ..., X_N obtained by applying function
F1 using the memorized value as an input therefore correspond to a set of physical
addresses corresponding to the set of memory cells to be involved in the process of
generating a digital print.
[0053] Then, a second steps 301 aims at providing the wear level of the memory cells identified
at step 300. For that purpose, a threshold voltage shift measurement controller can
be used. It is for example implemented in the external memory and measuring a threshold
voltage of a charge loss measurement
M_n for each of the n-th cells of the selected set of cells with
n ∈ [1,
N].
[0054] Figure 5 provides an example of process leading to a wear value using the measurement performed
by a measurement controller associated to the external memory.
[0055] A value
WL_n can be provided for each of the memory cells belonging to the set identified at step
300 by applying a second function
F2 to the measurement obtained from the controller:
[0056] Alternatively, the measurements
M_n are taken directly as the wear levels, in that case, one have:
[0057] Figure 6 illustrates the process of determining a digital print using the wear levels of a
selected set of memory cells.
[0058] Once the wear levels of the identified memory cells are collected, a step 302 is
applied with the aim of determining a digital print DP_calc derived from the collected
wear levels. A third function
F3 can be used for that purpose:
[0059] Function
F3 is chosen such that different combinations of wear level values lead to different
digital print values.
[0060] According to an embodiment, the function
F3 is a hash function such as SHA-256.
[0061] According to another embodiment, the function
F3 corresponds to a Cyclic Redundancy Code (CRC) function.
[0062] According to another embodiment, the function
F3 is chosen for generating a digital signature. Function corresponds for example to
a Digital Signature Algorithm (DSA).
[0063] Then, a step 303 compares the digital print
DP_calc with a reference digital print
DP_ref and if these are identicals, the memory is authenticated.
[0064] On the contrary, if the digital print
DP_calc differs from the reference digital print
DP_ref, a critical event is detected and appropriate actions can be applied by the processing
unit. A non-limitative list of examples of so-called appropriate actions is: log event,
burn a fuse of a one-time- programmable memory (OTP) indicating a security critical
error event, self-destruct by wiping a critical memory area upon security error detection,
system mute, forcing the system to reboot, notification of a suspected attack.
[0065] According to an embodiment, the reference digital print
DP_ref is determined by the embedded system at the manufacturing stage. This value can also
be updated during the life-time of the embedded system.
[0066] As the wear level of a memory cell increases over time depending of its use, there
are several options that can be implemented for making sure that the reference digital
print
DP_ref is up to date for enabling the authentication of a genuine external memory.
[0067] According to an embodiment, the one or several memory cells belonging to the set
of memory cells associated to the memorized chip identifier is preserved from being
used for storing data. This can be carried out by the memory management of the software
implemented by the processing unit. Therefore, these are not subject to programming
and erasure (P/E) cycles and consequently their wear level remain steady over time.
[0068] According to another embodiment, the reference digital print
DP_ref can also be re-calculated by the processing unit periodically or upon request. This
is particularly useful if the memory cells belonging to the set of memory cells associated
to the memorized chip identifier are used for storing data and not subject to subject
to programming and erasure (P/E) cycles.
[0069] According to another embodiment, one or several memory cells belonging to the set
of memory cells associated to the memorized chip identifier can be artificially worn
out by applying a plurality of programming and erasure (P/E) cycles in order to update
the reference digital print
DP_ref. The skilled person will understand that the reference digital print
DP_ref has to be recalculated and memorized securely by the chip implementing the processing
unit.
[0070] For calculating the reference digital print
DP_ref, the same method is used than the one used for calculating
DP_calc. The reference digital print
DP_ref is calculated or re-calculated preferably at a time where the measured external memory
is trusted as the genuine one. For example, the reference digital print
DP_ref can be initialized during the manufacturing of the embedded system, when the external
memory is associated to the processing unit.
1. An embedded system (110) comprising an external non-volatile memory (100) composed
of a plurality of memory cells and a processing unit (101) comprising a secure memory
(103) containing a memorized value
MEM_ID attributed to said processing unit (101), the processing unit (101) being configured
to determine a digital print
DP_calc identifying a state of the external non-volatile memory (100) by:
- identifying a set of at least one memory cell of the external non-volatile memory
(100) by applying a function F1 using the memorized value MEM_ID as an input;
- providing at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one
memory cell;
- determining the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.
2. An embedded system (110) according to claim 1, wherein the digital print DP_calc is used for authenticating the external non-volatile memory by the processing unit
(101) by comparing said digital print DP_calc with a reference digital print DP_ref memorized by the processing unit (101), the reference digital print DP_ref being previously calculated using the same mechanism applied to the genuine external
memory, the external non-volatile memory (100) being authenticated if the digital
print DP_calc matches with the reference digital print DP_ref.
3. An embedded system (110) according to any of the preceding claims, wherein the one
or several memory cells belonging to the set of memory cells identified using the
memorized value MEM_ID is preserved from being used for storing data.
4. An embedded system (110) according to any of claims 2 or 3, wherein the reference
digital print DP_ref is memorized in the processing unit and determined by during the manufacturing of
the embedded system when it is associated to the external memory.
5. An embedded system (110) according to any of claims 2 to 4, wherein the reference
digital print DP_ref can also be re-calculated by the processing unit periodically or upon request.
6. An embedded system (110) according to any of claims 2 to 5, wherein the set of memory
cells identified using the memorized value MEM_ID is artificially worn out by applying a plurality of programming and erasure (P/E)
cycles in order to update the reference digital print DP_ref, said reference digital print DP_ref being updated by using the newly wear levels.
7. An embedded system (110) according to any of the preceding claims, wherein the first
function F1 is injective.
8. A method for determining a digital print
DP_calc identifying the state of an external non-volatile memory (100) composed of a plurality
of memory cells by a processing unit (101) comprising a secure memory (103) containing
a memorized value
MEM_ID attributed to said processing unit (101), the method being applied by the processing
unit (101) and comprising the steps of:
- identifying (300) a set of at least one memory cell of the external non-volatile
memory (100) by applying a function F1 using the memorized value MEM_ID as an input;
- providing (301) at least one wear level WL_n associated to the one or several memory cells belonging to said set of at least one
memory cell;
- determining (302) the digital print DP_calc by applying a function F3 to the at least one wear level WL_n.
9. Method according to claim 8, comprising the step of comparing (303) the digital print
DP_calc with a reference digital print DP_ref memorized by the processing unit, the reference digital print DP_ref being previously calculated using the same mechanism applied to the genuine external
memory, the external non-volatile memory (100) being authenticated (304) if the digital
print DP_calc matches with the reference digital print DP_ref.
10. A method according to any of claims 8 or 9, wherein the function F1 is injective.
11. A processing unit (101) comprising a secure memory (103) containing a memorized value
MEM_ID attributed to said processing unit (101), the processing unit (101) being configured
to be associated with an external non-volatile memory (100) and to carry out the steps
of the method according to any of claims 8 to 10.
12. A processing unit according to claim 11, wherein the secure memory is a one-time programmable
(OTP) memory.
13. A processing unit according to any of claims 11 to 12, wherein the memorized value
MEM_ID is a unique identifier of said processing unit.
14. A processing unit according to any of claims 11 to 13, wherein the memorized value
MEM_ID is a random number generated and memorized in the processing unit during its manufacturing.
15. A processing unit according to any of claims 12 comprising a baseband communication
chip, the memorized value MEM_ID being an International Mobile Equipment Identity (IMEI).